NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

GUIDELINES ON SECURING PUBLIC WEB SERVERS
4. Securing the Web Server Operating System
Protecting a Web server from compromise involves hardening the underlying OS, the Web server
application, and the network to prevent malicious entities from directly attacking the Web server. The
first step in securing a Web server, hardening the underlying OS, is discussed at length in this section.
(Securing the Web server application and the network are addressed in Sections 5 and 8, respectively.)
All commonly available Web servers operate on a general-purpose OS. Many security issues can be
avoided if the OSs underlying the Web servers are configured appropriately. Default hardware and
software configurations are typically set by manufacturers to emphasize features, functions, and ease of
use, at the expense of security. Because manufacturers are unaware of each organization’s security needs,
each Web server administrator must configure new servers to reflect their organization’s security
requirements and reconfigure them as those requirements change. The practices recommended here are
designed to help Web server administrators configure and deploy Web servers that satisfy their
organizations’ security requirements. Web server administrators managing existing Web servers should
confirm that their systems address the issues discussed.
The techniques for hardening different OSs vary greatly; therefore, this section includes the generic
procedures common in securing most OSs. Security configuration guides and checklists for many OSs
are publicly available; these documents typically contain recommendations for settings that improve the
default level of security, and they may also contain step-by-step instructions for securing systems. 16 In
addition, many organizations maintain their own guidelines specific to their requirements. Some
automated tools also exist for hardening OSs, and their use is strongly recommended (see Appendix D).
Five basic steps are necessary to maintain basic OS security:
Planning the installation and deployment of the host OS and other components for the Web server
Patching and updating the host OS as required
Hardening and configuring the host OS to address security adequately
Installing and configuring additional security controls, if needed
Testing the host OS to ensure that the previous four steps adequately addressed all security issues.
The first step is discussed in Section 3. The other steps are covered in Sections 4.1 and 4.2.
4.1 Installing and Configuring the Operating System
This section provides an overview of the second, third, and fourth steps in the list above. The combined
result of these steps should be a reasonable level of protection for the Web server’s OS.
4.1.1 Patch and Upgrade Operating System
Once an OS is installed, applying needed patches or upgrades to correct for known vulnerabilities is
essential. Any known vulnerabilities an OS has should be corrected before using it to host a Web server
16
Checklists and implementation guides for various operating systems and applications are available from <strong>NIST</strong> at
http://checklists.nist.gov/. Also, see <strong>NIST</strong> SP <strong>800</strong>-70, Security Configuration Checklists Program for IT Products, available
at the same Web site, for general information about <strong>NIST</strong>’s checklists program.
4-1